Cyber Defense Laboratory

TIAA: A Toolkit for Intrusion Alert Analysis
(Version 1.0)

What's new

We have revised the program code to make it efficient for large dataset analysis. We revised in-memory correlation, graph partition, graph visualization (output), focused analysis, clustering analysis, aggregation analysis, attack strategy extraction, etc.

To facilitate alert correlation, especially for prerequisite (pre-condition) and consequence (post-condition) based methods, we have developed a comprehensive knowledge base for all snort alert types (nearly 3,000 different types).

Supported Platforms

Download

Knowledge base for Snort (Note that this knowledge base was compiled in 2005. Some types do not apply any more due to the changes in Snort rule sets.)

Test Data and Execution Procedure

For the alert data generated by Snort network sensors:

Use Snort to analysis the traffic data and collect all alerts. Download the sample knowledge base XML file (for Snort alert types) and its schema. Download the sample property file (Comment the attributes for RealSecure, and uncomment the attributes for Snort). Proceed to use TIAA to analyze alerts.

For the alert data generated by RealSecure network sensors:

Download this sql statement and execute it in the database to create a target table "events";

Download any of these alert datasets [scenario 1 (dmz, inside), scenario 2 (dmz, inside)] generated by RealSecure, the data source is DARPA evaluation dataset 2000. You can import it into MS SQL server with the command "bulk insert events from 'file path' with (FIELDTERMINATOR=',');";

Checklist before You Run this Tool

Ethereal (not necessary if you have downloaded our sample analysis results) (You can get Ethereal from Ethereal website)

Overview of Revisions to TIAA Version 0.4

In this version, our goal is to make TIAA efficient in analyzing large alert datasets. We observed that the efficiency of alert analysis largely depends on (1) the interaction between database systems and our java programs, and (2) the efficiency of database operations. To improve the efficiency of TIAA, it is crucial to reduce the time for both operations. So, we revised the in-memory correlation to make it appropriate for large dataset correlation. We also revised other utilities such as graph partition, graph visualization, focused analysis, clustering analysis, aggregation analysis and attack strategy extraction to reduce the interaction between databases and our programs as well as the time-consuming database operations such as table joins. We have tested our programs using the datasets from our campus network and DEF CON 9 datasets. Here we give some example correlation graphs or aggregated correlation graphs from our experiments (some graphs may be partial due to space constraints).

A correlation graph discovered in our campus network (click to expand the graph)

New Comprehensive Knowledge Base for Snort Alert Types

To perform prerequisite (pre-condition) and consequence (post-condition) based alert correlation, it is crucial to specify the prerequisites and consequences for alert types. We have studied nearly 3,000 alert types reported by Snort, and specified the prerequisite and consequence for each of them. A subset of these alert types can be found here (around 380 alert types). A more complete knowledge base can be found here. (Note that this knowledge base was compiled in 2005. Some types do not apply any more due to the changes in Snort rule sets.)